Logic for mfa-authn-config.xml
Cantor, Scott
cantor.2 at osu.edu
Thu Jan 11 21:51:47 EST 2018
> Yes, *I* can certainly tell the difference between them, but I'm not quite
> sure I can fold up that piece of paper and stick it in the server running the idp
> to avail of it ;). That arbitrary decision list for management needs to be
> encoded and stored somewhere such that the MFA selection script can avail
> of it.
How would you expect the IdP to distinguish these unless you can articulate a rule? If you can, then that answers the question you're asking, that's the rule.
Maybe the best way I can answer is to simply say that we have three types of applications:
- the ones that ask for MFA
- the ones that require MFA and can't ask, which I enumerate with a relying party rule
- the ones that "require MFA sort of except for when they don't", which involve both enumerating services and combining it with an attribute lookup on the user
All of that is fairly obvious to implement, using a couple of different relying party overides and some user attribute checks.
-- Scott
More information about the users
mailing list